Hardware security
ore than a year ago, the Meltdown and
Spectre bugs were revealed to affect
some of the most widely used
processors in the world – and throughout 2018
and even into this year, new variants and threats
based on the bugs have continued to be found.
The vulnerabilities, which appear to be
present in chips from nearly every
manufacturer, enable potential malicious users
to access protected data on a victim’s device,
and exploit speculative execution and caching
features of a CPU. While there have not been
any known attacks using these vulnerabilities,
their existence has caused shockwaves
throughout the technology world – and beyond
- due to the prevalence of the vulnerabilities.
Since the revelations about the bugs were
disclosed, a number of manufacturers moved
quickly to release patches to mitigate the
problem.However,thesesoftwarefixesaren’t
ideal,mainlybecauseMeltdownandSpectre
affectsfeaturesoftheCPUwhicharedesigned
toimproveperformance,andapplyingthe
patchesresultsinanoticeabledegradation.
AttheendofFebruary2019,opensource
hardwareexpertsatPhoronixnotedthatLinux
5.0kernelperformancewasworsethan
previouskernelreleases(readthefullarticle
athttp://bit.ly/LXFPhoronixLinux5).This
isaworryingtrend,askernelupdatesshould
improveperformance,andsomereaders
pointedoutthatthisperformanceloss
correspondswithMeltdownandSpectre
mitigationsbeingincludedinLinux5.0.
In fact, looking at Phoronix’s
benchmark results, there’s a clear
dip in performance starting from
Linux 4.15, with another large dip
between Linux 4.20 and Linux 5.0.
As Phoronix points out, the
Spectre/Meltdown vulnerabilities
were made public around the
time of Linux 4.14, and in-kernel
mitigations such as PTI and
Retpolines were added – which
supports many people’s fears that if
to be protected against Spectre/Meltdown,
we’re going to have to live with the performance
implications that come with software patches.
Googlehasbeenevenmorepessimistic,
recentlyreleasingananalysisofSpectre
whichcomestotheconclusionthatSpectre-like
vulnerabilitieswillneverbefullyeradicatedby
softwarepatches.Infact,Spectrecould
continuetoimpactprocessorsforthe
foreseeablefuture,whilesoftware-based
mitigationswillhaveanevengreaterimpacton
performance.Readtheentirepaperathttp://
bit.ly/LXFGoogleSpectre.Forthemomentat
least,itlookslikewe’regoingtohavetoaccept
performancehitsasapricetopayforsecurity.
The ramifications of Meltdown and Spectre continue, with Google
suggesting that there will never be a software-based fix.
Can Meltdown and Spectre
bugs ever be fixed?
M
Newsdesk
ThiS iSSUE:Googlehasameltdown Nginxisworthalot
PureOS converges Firefox Send Skype issues EU router rules
spectre will be plaguing processors for
the near future, according to Google.
Image credit: TechRadar
Meltdown andSpectreaffectS
featureS ofthe cpuwhich are
deSignedto iMprove perforMance
6 LXF249May 2019 http://www.linuxformat.com